[cap-talk] Capabilities - the rub, an account

Mark Miller erights at gmail.com
Mon Nov 27 11:28:00 CST 2006

On 11/27/06, Marcus Brinkmann <marcus.brinkmann at ruhr-uni-bochum.de> wrote:
> Communicating permissions through a third party may involve up to 6 IPC
> operations (without any nesting) and more if you need to [...]

The issue isn't IPC per se, as the boundaries that need to be crossed
are protection domain boundaries, not necessarily process or address
space boundaries. Language based capability systems can cross such
boundaries at the cost of a method dispatch, which can often be
reduced to a procedure call or less using conventional optimization
techniques. W7, Joe-E, and Emily cross protection domains at exactly
the cost of a Scheme, Java, and OCaml procedure call as optimized by
those respective platforms.

However, the pure language-based approach can't deal with legacy code
and legacy unsafe languages. For these, protection based on
processes/address-spaces/IPC is still needed. Once there exists both
at least one mature adopted object-cap OS and one mature adopted
object-cap language, we should start to try building hybrid
architectures, to combine their advantages.

Text by me above is hereby placed in the public domain


More information about the cap-talk mailing list